Storing a list of string in Claim (System.Security.Claims)

The ValueType is a way for your code to identify how the value is to be interpreted/deserialized, such as containing an XML schema type. If used between code from different sources, it makes sense, but in your own application you can just ignore it as long as you know how to interpret the contents.

But to have multiple values, you won't need to use complex types. A claims identity can have multiple claims with the same ClaimType, so instead of serializing the codes into a JSon string you should just add multiple claims; one for each user code. All having the same claim type. That will make it possible to use the HasClaim method for checking if a specific user code is present.

Stick with JSON or use Multivalued Claim (multivalued attribute in LDAP terms).

Let's not confuse System.Security.Claims.Claim.Type and Claim.ValueType. Type is the "Claim name" (Attribute name in LDAP speak). See System.Security.Claims.ClaimTypes for sample uris. ValueType is for XML serialization. See System.Security.Claims.ClaimValueTypes for sample uris.

You were thinking about using ValueType to serialize properly. It is not totally impossible, you would need to program it yourself. I am afraid that there are not many others that can deal with it (in a SAML Token). So don't, unless they are holding a gun on you. Dominick also warned you.

You would need to write some things, see post on MS forums This was for WIF 3.5, but the principle is the same under .NET 4.5.